diff --git a/envoy/COMMIT b/envoy/COMMIT
index 4eff9908d7..73d01bbbd1 100644
--- a/envoy/COMMIT
+++ b/envoy/COMMIT
@@ -1 +1 @@
-70ba63a2e676f8676ab65840066729667c0af9bb
+a8569b648c582ac62db6be23125b5dd86513f474
diff --git a/envoy/extensions/filters/http/credential_injector/v3/credential_injector.pb.go b/envoy/extensions/filters/http/credential_injector/v3/credential_injector.pb.go
new file mode 100755
index 0000000000..c77e8da85c
--- /dev/null
+++ b/envoy/extensions/filters/http/credential_injector/v3/credential_injector.pb.go
@@ -0,0 +1,259 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.4
+// source: envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
+
+package credential_injectorv3
+
+import (
+	_ "github.com/cncf/xds/go/udpa/annotations"
+	_ "github.com/cncf/xds/go/xds/annotations/v3"
+	v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	_ "github.com/envoyproxy/protoc-gen-validate/validate"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Credential Injector injects credentials into outgoing HTTP requests. The filter configuration is used to retrieve the credentials, or
+// they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header
+// of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
+//
+// If the credential is not present, the request will fail with 401 Unauthorized if fail_if_not_present is set to true.
+//
+// Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential
+// is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that
+// workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself.
+//
+// Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
+//
+//	.. code-block:: yaml
+//
+//	overwrite: true
+//	fail_if_not_present: true
+//	credential:
+//	  name: generic_credential
+//	  typed_config:
+//	    "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
+//	    credential:
+//	      name: credential
+//	      sds_config:
+//	        path_config_source:
+//	          path: credential.yaml
+//	    header: Authorization
+//
+// credential.yaml for Basic Auth:
+//
+//	.. code-block:: yaml
+//
+//	resources:
+//	- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+//	  name: credential
+//	  generic_secret:
+//	    secret:
+//	      inline_string: "Basic base64EncodedUsernamePassword"
+//
+// It can also be configured to inject a Bearer token into the proxied requests.
+// credential.yaml for Bearer Token:
+//
+//	.. code-block:: yaml
+//
+//	resources:
+//	- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+//	  name: credential
+//	  generic_secret:
+//	    secret:
+//	      inline_string: "Bearer myToken"
+type CredentialInjector struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Whether to overwrite the value or not if the injected headers already exist.
+	// Value defaults to false.
+	Overwrite bool `protobuf:"varint,1,opt,name=overwrite,proto3" json:"overwrite,omitempty"`
+	// Whether to fail the request if the credential is not present.
+	// Value defaults to false.
+	// If set to true, the request will fail with 401 Unauthorized if the credential is not present.
+	FailIfNotPresent bool `protobuf:"varint,2,opt,name=fail_if_not_present,json=failIfNotPresent,proto3" json:"fail_if_not_present,omitempty"`
+	// The credential to inject into the proxied requests
+	// TODO add extension-category
+	Credential *v3.TypedExtensionConfig `protobuf:"bytes,3,opt,name=credential,proto3" json:"credential,omitempty"`
+}
+
+func (x *CredentialInjector) Reset() {
+	*x = CredentialInjector{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CredentialInjector) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CredentialInjector) ProtoMessage() {}
+
+func (x *CredentialInjector) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CredentialInjector.ProtoReflect.Descriptor instead.
+func (*CredentialInjector) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *CredentialInjector) GetOverwrite() bool {
+	if x != nil {
+		return x.Overwrite
+	}
+	return false
+}
+
+func (x *CredentialInjector) GetFailIfNotPresent() bool {
+	if x != nil {
+		return x.FailIfNotPresent
+	}
+	return false
+}
+
+func (x *CredentialInjector) GetCredential() *v3.TypedExtensionConfig {
+	if x != nil {
+		return x.Credential
+	}
+	return nil
+}
+
+var File_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto protoreflect.FileDescriptor
+
+var file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDesc = []byte{
+	0x0a, 0x4e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f,
+	0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x6e, 0x6a, 0x65, 0x63,
+	0x74, 0x6f, 0x72, 0x2f, 0x76, 0x33, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61,
+	0x6c, 0x5f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x34, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e,
+	0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x6e, 0x6a, 0x65, 0x63,
+	0x74, 0x6f, 0x72, 0x2e, 0x76, 0x33, 0x1a, 0x24, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x33, 0x2f, 0x65, 0x78, 0x74,
+	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x78, 0x64,
+	0x73, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x33,
+	0x2f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x75,
+	0x64, 0x70, 0x61, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x76, 0x61,
+	0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb7, 0x01, 0x0a, 0x12, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x61, 0x6c, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1c, 0x0a, 0x09,
+	0x6f, 0x76, 0x65, 0x72, 0x77, 0x72, 0x69, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x09, 0x6f, 0x76, 0x65, 0x72, 0x77, 0x72, 0x69, 0x74, 0x65, 0x12, 0x2d, 0x0a, 0x13, 0x66, 0x61,
+	0x69, 0x6c, 0x5f, 0x69, 0x66, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x73, 0x65, 0x6e,
+	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x66, 0x61, 0x69, 0x6c, 0x49, 0x66, 0x4e,
+	0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x12, 0x54, 0x0a, 0x0a, 0x63, 0x72, 0x65,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e,
+	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72,
+	0x65, 0x2e, 0x76, 0x33, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x64, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73,
+	0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01,
+	0x02, 0x10, 0x01, 0x52, 0x0a, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x42,
+	0xe2, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10, 0x02, 0xd2, 0xc6, 0xa4, 0xe1, 0x06, 0x02,
+	0x08, 0x01, 0x0a, 0x42, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e,
+	0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x6e, 0x6a, 0x65, 0x63,
+	0x74, 0x6f, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x17, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x61, 0x6c, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
+	0x01, 0x5a, 0x71, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e,
+	0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74,
+	0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f,
+	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65,
+	0x72, 0x73, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x61, 0x6c, 0x5f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2f, 0x76, 0x33, 0x3b, 0x63,
+	0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74,
+	0x6f, 0x72, 0x76, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescOnce sync.Once
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescData = file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDesc
+)
+
+func file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescGZIP() []byte {
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescOnce.Do(func() {
+		file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescData)
+	})
+	return file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDescData
+}
+
+var file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_goTypes = []interface{}{
+	(*CredentialInjector)(nil),      // 0: envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
+	(*v3.TypedExtensionConfig)(nil), // 1: envoy.config.core.v3.TypedExtensionConfig
+}
+var file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_depIdxs = []int32{
+	1, // 0: envoy.extensions.filters.http.credential_injector.v3.CredentialInjector.credential:type_name -> envoy.config.core.v3.TypedExtensionConfig
+	1, // [1:1] is the sub-list for method output_type
+	1, // [1:1] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() {
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_init()
+}
+func file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_init() {
+	if File_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CredentialInjector); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_goTypes,
+		DependencyIndexes: file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_depIdxs,
+		MessageInfos:      file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_msgTypes,
+	}.Build()
+	File_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto = out.File
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_rawDesc = nil
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_goTypes = nil
+	file_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto_depIdxs = nil
+}
diff --git a/envoy/extensions/filters/http/credential_injector/v3/credential_injector.pb.validate.go b/envoy/extensions/filters/http/credential_injector/v3/credential_injector.pb.validate.go
new file mode 100755
index 0000000000..377e35dfdf
--- /dev/null
+++ b/envoy/extensions/filters/http/credential_injector/v3/credential_injector.pb.validate.go
@@ -0,0 +1,182 @@
+// Code generated by protoc-gen-validate. DO NOT EDIT.
+// source: envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
+
+package credential_injectorv3
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"net/url"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+	"unicode/utf8"
+
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+// ensure the imports are used
+var (
+	_ = bytes.MinRead
+	_ = errors.New("")
+	_ = fmt.Print
+	_ = utf8.UTFMax
+	_ = (*regexp.Regexp)(nil)
+	_ = (*strings.Reader)(nil)
+	_ = net.IPv4len
+	_ = time.Duration(0)
+	_ = (*url.URL)(nil)
+	_ = (*mail.Address)(nil)
+	_ = anypb.Any{}
+	_ = sort.Sort
+)
+
+// Validate checks the field values on CredentialInjector with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the first error encountered is returned, or nil if there are no violations.
+func (m *CredentialInjector) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on CredentialInjector with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the result is a list of violation errors wrapped in
+// CredentialInjectorMultiError, or nil if none found.
+func (m *CredentialInjector) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *CredentialInjector) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for Overwrite
+
+	// no validation rules for FailIfNotPresent
+
+	if m.GetCredential() == nil {
+		err := CredentialInjectorValidationError{
+			field:  "Credential",
+			reason: "value is required",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if all {
+		switch v := interface{}(m.GetCredential()).(type) {
+		case interface{ ValidateAll() error }:
+			if err := v.ValidateAll(); err != nil {
+				errors = append(errors, CredentialInjectorValidationError{
+					field:  "Credential",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		case interface{ Validate() error }:
+			if err := v.Validate(); err != nil {
+				errors = append(errors, CredentialInjectorValidationError{
+					field:  "Credential",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		}
+	} else if v, ok := interface{}(m.GetCredential()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return CredentialInjectorValidationError{
+				field:  "Credential",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	if len(errors) > 0 {
+		return CredentialInjectorMultiError(errors)
+	}
+
+	return nil
+}
+
+// CredentialInjectorMultiError is an error wrapping multiple validation errors
+// returned by CredentialInjector.ValidateAll() if the designated constraints
+// aren't met.
+type CredentialInjectorMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m CredentialInjectorMultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m CredentialInjectorMultiError) AllErrors() []error { return m }
+
+// CredentialInjectorValidationError is the validation error returned by
+// CredentialInjector.Validate if the designated constraints aren't met.
+type CredentialInjectorValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e CredentialInjectorValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e CredentialInjectorValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e CredentialInjectorValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e CredentialInjectorValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e CredentialInjectorValidationError) ErrorName() string {
+	return "CredentialInjectorValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e CredentialInjectorValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sCredentialInjector.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = CredentialInjectorValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = CredentialInjectorValidationError{}
diff --git a/envoy/extensions/injected_credentials/generic/v3/generic.pb.go b/envoy/extensions/injected_credentials/generic/v3/generic.pb.go
new file mode 100755
index 0000000000..3c1d81f6de
--- /dev/null
+++ b/envoy/extensions/injected_credentials/generic/v3/generic.pb.go
@@ -0,0 +1,235 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.4
+// source: envoy/extensions/injected_credentials/generic/v3/generic.proto
+
+package genericv3
+
+import (
+	_ "github.com/cncf/xds/go/udpa/annotations"
+	_ "github.com/cncf/xds/go/xds/annotations/v3"
+	v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+	_ "github.com/envoyproxy/protoc-gen-validate/validate"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Generic extension can be used to inject HTTP Basic Auth, Bearer Token, or any arbitrary credential
+// into the proxied requests.
+// The credential will be injected into the specified HTTP request header.
+// Example:
+//
+//	.. code-block:: yaml
+//
+//	credential:
+//	  name: generic_credential
+//	  typed_config:
+//	    "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
+//	    credential:
+//	      name: credential
+//	      sds_config:
+//	        path_config_source:
+//	          path: credential.yaml
+//	    header: Authorization
+//
+// credential.yaml for Basic Auth:
+//
+//	.. code-block:: yaml
+//
+//	resources:
+//	- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+//	  name: credential
+//	  generic_secret:
+//	    secret:
+//	      inline_string: "Basic base64EncodedUsernamePassword"
+//
+// Refer to [RFC 7617: The 'Basic' HTTP Authentication Scheme](https://www.rfc-editor.org/rfc/rfc7617) for details.
+//
+// credential.yaml for Bearer Token:
+//
+//	.. code-block:: yaml
+//	resources:
+//	- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+//	  name: credential
+//	  generic_secret:
+//	    secret:
+//	      inline_string: "Bearer myToken"
+//
+// Refer to [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) for details.
+type Generic struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The SDS configuration for the credential that will be injected to the specified HTTP request header.
+	// It must be a generic secret.
+	Credential *v3.SdsSecretConfig `protobuf:"bytes,1,opt,name=credential,proto3" json:"credential,omitempty"`
+	// The header that will be injected to the HTTP request with the provided credential.
+	// If not set, filter will default to: “Authorization“
+	Header string `protobuf:"bytes,2,opt,name=header,proto3" json:"header,omitempty"`
+}
+
+func (x *Generic) Reset() {
+	*x = Generic{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_injected_credentials_generic_v3_generic_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Generic) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Generic) ProtoMessage() {}
+
+func (x *Generic) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_injected_credentials_generic_v3_generic_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Generic.ProtoReflect.Descriptor instead.
+func (*Generic) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Generic) GetCredential() *v3.SdsSecretConfig {
+	if x != nil {
+		return x.Credential
+	}
+	return nil
+}
+
+func (x *Generic) GetHeader() string {
+	if x != nil {
+		return x.Header
+	}
+	return ""
+}
+
+var File_envoy_extensions_injected_credentials_generic_v3_generic_proto protoreflect.FileDescriptor
+
+var file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDesc = []byte{
+	0x0a, 0x3e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x2f,
+	0x76, 0x33, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x30, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2e, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x2e,
+	0x76, 0x33, 0x1a, 0x36, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
+	0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x73,
+	0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x2f, 0x74, 0x6c, 0x73, 0x2f, 0x76, 0x33, 0x2f, 0x73, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x78, 0x64, 0x73, 0x2f,
+	0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x33, 0x2f, 0x73,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x75, 0x64, 0x70,
+	0x61, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x73, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x76, 0x61, 0x6c, 0x69,
+	0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x22, 0x94, 0x01, 0x0a, 0x07, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x12,
+	0x64, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x3a, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65,
+	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74,
+	0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x2e, 0x74, 0x6c, 0x73, 0x2e, 0x76, 0x33, 0x2e,
+	0x53, 0x64, 0x73, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42,
+	0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01, 0x52, 0x0a, 0x63, 0x72, 0x65, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x61, 0x6c, 0x12, 0x23, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0b, 0xfa, 0x42, 0x08, 0x72, 0x06, 0xd0, 0x01, 0x01, 0xc0,
+	0x01, 0x01, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42, 0xc3, 0x01, 0xba, 0x80, 0xc8,
+	0xd1, 0x06, 0x02, 0x10, 0x02, 0xd2, 0xc6, 0xa4, 0xe1, 0x06, 0x02, 0x08, 0x01, 0x0a, 0x3e, 0x69,
+	0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76,
+	0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x69, 0x6e,
+	0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61,
+	0x6c, 0x73, 0x2e, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x2e, 0x76, 0x33, 0x42, 0x0c, 0x47,
+	0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x61, 0x67,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70,
+	0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d,
+	0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65,
+	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f,
+	0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x65,
+	0x72, 0x69, 0x63, 0x2f, 0x76, 0x33, 0x3b, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x76, 0x33,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescOnce sync.Once
+	file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescData = file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDesc
+)
+
+func file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescGZIP() []byte {
+	file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescOnce.Do(func() {
+		file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescData)
+	})
+	return file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDescData
+}
+
+var file_envoy_extensions_injected_credentials_generic_v3_generic_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_envoy_extensions_injected_credentials_generic_v3_generic_proto_goTypes = []interface{}{
+	(*Generic)(nil),            // 0: envoy.extensions.injected_credentials.generic.v3.Generic
+	(*v3.SdsSecretConfig)(nil), // 1: envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig
+}
+var file_envoy_extensions_injected_credentials_generic_v3_generic_proto_depIdxs = []int32{
+	1, // 0: envoy.extensions.injected_credentials.generic.v3.Generic.credential:type_name -> envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig
+	1, // [1:1] is the sub-list for method output_type
+	1, // [1:1] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() { file_envoy_extensions_injected_credentials_generic_v3_generic_proto_init() }
+func file_envoy_extensions_injected_credentials_generic_v3_generic_proto_init() {
+	if File_envoy_extensions_injected_credentials_generic_v3_generic_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_envoy_extensions_injected_credentials_generic_v3_generic_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Generic); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_envoy_extensions_injected_credentials_generic_v3_generic_proto_goTypes,
+		DependencyIndexes: file_envoy_extensions_injected_credentials_generic_v3_generic_proto_depIdxs,
+		MessageInfos:      file_envoy_extensions_injected_credentials_generic_v3_generic_proto_msgTypes,
+	}.Build()
+	File_envoy_extensions_injected_credentials_generic_v3_generic_proto = out.File
+	file_envoy_extensions_injected_credentials_generic_v3_generic_proto_rawDesc = nil
+	file_envoy_extensions_injected_credentials_generic_v3_generic_proto_goTypes = nil
+	file_envoy_extensions_injected_credentials_generic_v3_generic_proto_depIdxs = nil
+}
diff --git a/envoy/extensions/injected_credentials/generic/v3/generic.pb.validate.go b/envoy/extensions/injected_credentials/generic/v3/generic.pb.validate.go
new file mode 100755
index 0000000000..b2ac6d34e0
--- /dev/null
+++ b/envoy/extensions/injected_credentials/generic/v3/generic.pb.validate.go
@@ -0,0 +1,191 @@
+// Code generated by protoc-gen-validate. DO NOT EDIT.
+// source: envoy/extensions/injected_credentials/generic/v3/generic.proto
+
+package genericv3
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"net/url"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+	"unicode/utf8"
+
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+// ensure the imports are used
+var (
+	_ = bytes.MinRead
+	_ = errors.New("")
+	_ = fmt.Print
+	_ = utf8.UTFMax
+	_ = (*regexp.Regexp)(nil)
+	_ = (*strings.Reader)(nil)
+	_ = net.IPv4len
+	_ = time.Duration(0)
+	_ = (*url.URL)(nil)
+	_ = (*mail.Address)(nil)
+	_ = anypb.Any{}
+	_ = sort.Sort
+)
+
+// Validate checks the field values on Generic with the rules defined in the
+// proto definition for this message. If any rules are violated, the first
+// error encountered is returned, or nil if there are no violations.
+func (m *Generic) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on Generic with the rules defined in the
+// proto definition for this message. If any rules are violated, the result is
+// a list of violation errors wrapped in GenericMultiError, or nil if none found.
+func (m *Generic) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *Generic) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	if m.GetCredential() == nil {
+		err := GenericValidationError{
+			field:  "Credential",
+			reason: "value is required",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if all {
+		switch v := interface{}(m.GetCredential()).(type) {
+		case interface{ ValidateAll() error }:
+			if err := v.ValidateAll(); err != nil {
+				errors = append(errors, GenericValidationError{
+					field:  "Credential",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		case interface{ Validate() error }:
+			if err := v.Validate(); err != nil {
+				errors = append(errors, GenericValidationError{
+					field:  "Credential",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		}
+	} else if v, ok := interface{}(m.GetCredential()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return GenericValidationError{
+				field:  "Credential",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	if m.GetHeader() != "" {
+
+		if !_Generic_Header_Pattern.MatchString(m.GetHeader()) {
+			err := GenericValidationError{
+				field:  "Header",
+				reason: "value does not match regex pattern \"^:?[0-9a-zA-Z!#$%&'*+-.^_|~`]+$\"",
+			}
+			if !all {
+				return err
+			}
+			errors = append(errors, err)
+		}
+
+	}
+
+	if len(errors) > 0 {
+		return GenericMultiError(errors)
+	}
+
+	return nil
+}
+
+// GenericMultiError is an error wrapping multiple validation errors returned
+// by Generic.ValidateAll() if the designated constraints aren't met.
+type GenericMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m GenericMultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m GenericMultiError) AllErrors() []error { return m }
+
+// GenericValidationError is the validation error returned by Generic.Validate
+// if the designated constraints aren't met.
+type GenericValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e GenericValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e GenericValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e GenericValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e GenericValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e GenericValidationError) ErrorName() string { return "GenericValidationError" }
+
+// Error satisfies the builtin error interface
+func (e GenericValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sGeneric.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = GenericValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = GenericValidationError{}
+
+var _Generic_Header_Pattern = regexp.MustCompile("^:?[0-9a-zA-Z!#$%&'*+-.^_|~`]+$")
diff --git a/envoy/extensions/injected_credentials/oauth2/v3/oauth2.pb.go b/envoy/extensions/injected_credentials/oauth2/v3/oauth2.pb.go
new file mode 100755
index 0000000000..a6b18ae104
--- /dev/null
+++ b/envoy/extensions/injected_credentials/oauth2/v3/oauth2.pb.go
@@ -0,0 +1,399 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.4
+// source: envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto
+
+package oauth2v3
+
+import (
+	_ "github.com/cncf/xds/go/udpa/annotations"
+	_ "github.com/cncf/xds/go/xds/annotations/v3"
+	v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	v31 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+	_ "github.com/envoyproxy/protoc-gen-validate/validate"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type OAuth2_AuthType int32
+
+const (
+	// The “client_id“ and “client_secret“ will be sent using HTTP Basic authentication scheme.
+	OAuth2_BASIC_AUTH OAuth2_AuthType = 0
+	// The “client_id“ and “client_secret“ will be sent in the URL encoded request body.
+	// This type should only be used when Auth server does not support Basic authentication.
+	OAuth2_URL_ENCODED_BODY OAuth2_AuthType = 1
+)
+
+// Enum value maps for OAuth2_AuthType.
+var (
+	OAuth2_AuthType_name = map[int32]string{
+		0: "BASIC_AUTH",
+		1: "URL_ENCODED_BODY",
+	}
+	OAuth2_AuthType_value = map[string]int32{
+		"BASIC_AUTH":       0,
+		"URL_ENCODED_BODY": 1,
+	}
+)
+
+func (x OAuth2_AuthType) Enum() *OAuth2_AuthType {
+	p := new(OAuth2_AuthType)
+	*p = x
+	return p
+}
+
+func (x OAuth2_AuthType) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (OAuth2_AuthType) Descriptor() protoreflect.EnumDescriptor {
+	return file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_enumTypes[0].Descriptor()
+}
+
+func (OAuth2_AuthType) Type() protoreflect.EnumType {
+	return &file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_enumTypes[0]
+}
+
+func (x OAuth2_AuthType) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use OAuth2_AuthType.Descriptor instead.
+func (OAuth2_AuthType) EnumDescriptor() ([]byte, []int) {
+	return file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescGZIP(), []int{0, 0}
+}
+
+// OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the
+// proxied requests.
+// Currently, only the Client Credentials Grant flow is supported.
+// The access token will be injected into the request headers using the “Authorization“ header as a bearer token.
+type OAuth2 struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Endpoint on the authorization server to retrieve the access token from.
+	// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) for details.
+	TokenEndpoint *v3.HttpUri `protobuf:"bytes,1,opt,name=token_endpoint,json=tokenEndpoint,proto3" json:"token_endpoint,omitempty"`
+	// Optional list of OAuth scopes to be claimed in the authorization request.
+	// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2) for details.
+	Scopes []string `protobuf:"bytes,2,rep,name=scopes,proto3" json:"scopes,omitempty"`
+	// Types that are assignable to FlowType:
+	//
+	//	*OAuth2_ClientCredentials_
+	FlowType isOAuth2_FlowType `protobuf_oneof:"flow_type"`
+}
+
+func (x *OAuth2) Reset() {
+	*x = OAuth2{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *OAuth2) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OAuth2) ProtoMessage() {}
+
+func (x *OAuth2) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OAuth2.ProtoReflect.Descriptor instead.
+func (*OAuth2) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *OAuth2) GetTokenEndpoint() *v3.HttpUri {
+	if x != nil {
+		return x.TokenEndpoint
+	}
+	return nil
+}
+
+func (x *OAuth2) GetScopes() []string {
+	if x != nil {
+		return x.Scopes
+	}
+	return nil
+}
+
+func (m *OAuth2) GetFlowType() isOAuth2_FlowType {
+	if m != nil {
+		return m.FlowType
+	}
+	return nil
+}
+
+func (x *OAuth2) GetClientCredentials() *OAuth2_ClientCredentials {
+	if x, ok := x.GetFlowType().(*OAuth2_ClientCredentials_); ok {
+		return x.ClientCredentials
+	}
+	return nil
+}
+
+type isOAuth2_FlowType interface {
+	isOAuth2_FlowType()
+}
+
+type OAuth2_ClientCredentials_ struct {
+	// Client Credentials Grant.
+	// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) for details.
+	ClientCredentials *OAuth2_ClientCredentials `protobuf:"bytes,3,opt,name=client_credentials,json=clientCredentials,proto3,oneof"`
+}
+
+func (*OAuth2_ClientCredentials_) isOAuth2_FlowType() {}
+
+// Credentials to authenticate client to the authorization server.
+// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3) for details.
+type OAuth2_ClientCredentials struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Client ID.
+	// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details.
+	ClientId string `protobuf:"bytes,1,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"`
+	// Client secret.
+	// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details.
+	ClientSecret *v31.SdsSecretConfig `protobuf:"bytes,2,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"`
+	// The method to use when sending credentials to the authorization server.
+	// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details.
+	AuthType OAuth2_AuthType `protobuf:"varint,3,opt,name=auth_type,json=authType,proto3,enum=envoy.extensions.injected_credentials.oauth2.v3.OAuth2_AuthType" json:"auth_type,omitempty"`
+}
+
+func (x *OAuth2_ClientCredentials) Reset() {
+	*x = OAuth2_ClientCredentials{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *OAuth2_ClientCredentials) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OAuth2_ClientCredentials) ProtoMessage() {}
+
+func (x *OAuth2_ClientCredentials) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OAuth2_ClientCredentials.ProtoReflect.Descriptor instead.
+func (*OAuth2_ClientCredentials) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *OAuth2_ClientCredentials) GetClientId() string {
+	if x != nil {
+		return x.ClientId
+	}
+	return ""
+}
+
+func (x *OAuth2_ClientCredentials) GetClientSecret() *v31.SdsSecretConfig {
+	if x != nil {
+		return x.ClientSecret
+	}
+	return nil
+}
+
+func (x *OAuth2_ClientCredentials) GetAuthType() OAuth2_AuthType {
+	if x != nil {
+		return x.AuthType
+	}
+	return OAuth2_BASIC_AUTH
+}
+
+var File_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto protoreflect.FileDescriptor
+
+var file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDesc = []byte{
+	0x0a, 0x3c, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x2f, 0x76,
+	0x33, 0x2f, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2f,
+	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73,
+	0x2e, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x2e, 0x76, 0x33, 0x1a,
+	0x23, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x63, 0x6f,
+	0x72, 0x65, 0x2f, 0x76, 0x33, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x69, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x36, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65,
+	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74,
+	0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x2f, 0x74, 0x6c, 0x73, 0x2f, 0x76, 0x33, 0x2f,
+	0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x78, 0x64,
+	0x73, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x33,
+	0x2f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x75,
+	0x64, 0x70, 0x61, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x76, 0x61,
+	0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb6, 0x04, 0x0a, 0x06, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x32,
+	0x12, 0x4e, 0x0a, 0x0e, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69,
+	0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79,
+	0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e,
+	0x48, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10,
+	0x01, 0x52, 0x0d, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+	0x12, 0x16, 0x0a, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x12, 0x7a, 0x0a, 0x12, 0x63, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x49, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
+	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64,
+	0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x6f, 0x61, 0x75,
+	0x74, 0x68, 0x32, 0x2e, 0x76, 0x33, 0x2e, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x32, 0x2e, 0x43, 0x6c,
+	0x69, 0x65, 0x6e, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x48,
+	0x00, 0x52, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74,
+	0x69, 0x61, 0x6c, 0x73, 0x1a, 0x83, 0x02, 0x0a, 0x11, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43,
+	0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x24, 0x0a, 0x09, 0x63, 0x6c,
+	0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa,
+	0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64,
+	0x12, 0x69, 0x0a, 0x0d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3a, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73,
+	0x70, 0x6f, 0x72, 0x74, 0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x2e, 0x74, 0x6c, 0x73,
+	0x2e, 0x76, 0x33, 0x2e, 0x53, 0x64, 0x73, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01, 0x52, 0x0c, 0x63,
+	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x5d, 0x0a, 0x09, 0x61,
+	0x75, 0x74, 0x68, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x40,
+	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
+	0x73, 0x2e, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x2e, 0x76, 0x33,
+	0x2e, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x32, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x54, 0x79, 0x70, 0x65,
+	0x52, 0x08, 0x61, 0x75, 0x74, 0x68, 0x54, 0x79, 0x70, 0x65, 0x22, 0x30, 0x0a, 0x08, 0x41, 0x75,
+	0x74, 0x68, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0e, 0x0a, 0x0a, 0x42, 0x41, 0x53, 0x49, 0x43, 0x5f,
+	0x41, 0x55, 0x54, 0x48, 0x10, 0x00, 0x12, 0x14, 0x0a, 0x10, 0x55, 0x52, 0x4c, 0x5f, 0x45, 0x4e,
+	0x43, 0x4f, 0x44, 0x45, 0x44, 0x5f, 0x42, 0x4f, 0x44, 0x59, 0x10, 0x01, 0x42, 0x10, 0x0a, 0x09,
+	0x66, 0x6c, 0x6f, 0x77, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x42, 0xbf,
+	0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10, 0x02, 0xd2, 0xc6, 0xa4, 0xe1, 0x06, 0x02, 0x08,
+	0x01, 0x0a, 0x3d, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79,
+	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
+	0x73, 0x2e, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x2e, 0x76, 0x33,
+	0x42, 0x0b, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
+	0x5f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f,
+	0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f,
+	0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78,
+	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65,
+	0x64, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x6f, 0x61,
+	0x75, 0x74, 0x68, 0x32, 0x2f, 0x76, 0x33, 0x3b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x76, 0x33,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescOnce sync.Once
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescData = file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDesc
+)
+
+func file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescGZIP() []byte {
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescOnce.Do(func() {
+		file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescData)
+	})
+	return file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDescData
+}
+
+var file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_goTypes = []interface{}{
+	(OAuth2_AuthType)(0),             // 0: envoy.extensions.injected_credentials.oauth2.v3.OAuth2.AuthType
+	(*OAuth2)(nil),                   // 1: envoy.extensions.injected_credentials.oauth2.v3.OAuth2
+	(*OAuth2_ClientCredentials)(nil), // 2: envoy.extensions.injected_credentials.oauth2.v3.OAuth2.ClientCredentials
+	(*v3.HttpUri)(nil),               // 3: envoy.config.core.v3.HttpUri
+	(*v31.SdsSecretConfig)(nil),      // 4: envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig
+}
+var file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_depIdxs = []int32{
+	3, // 0: envoy.extensions.injected_credentials.oauth2.v3.OAuth2.token_endpoint:type_name -> envoy.config.core.v3.HttpUri
+	2, // 1: envoy.extensions.injected_credentials.oauth2.v3.OAuth2.client_credentials:type_name -> envoy.extensions.injected_credentials.oauth2.v3.OAuth2.ClientCredentials
+	4, // 2: envoy.extensions.injected_credentials.oauth2.v3.OAuth2.ClientCredentials.client_secret:type_name -> envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig
+	0, // 3: envoy.extensions.injected_credentials.oauth2.v3.OAuth2.ClientCredentials.auth_type:type_name -> envoy.extensions.injected_credentials.oauth2.v3.OAuth2.AuthType
+	4, // [4:4] is the sub-list for method output_type
+	4, // [4:4] is the sub-list for method input_type
+	4, // [4:4] is the sub-list for extension type_name
+	4, // [4:4] is the sub-list for extension extendee
+	0, // [0:4] is the sub-list for field type_name
+}
+
+func init() { file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_init() }
+func file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_init() {
+	if File_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*OAuth2); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*OAuth2_ClientCredentials); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes[0].OneofWrappers = []interface{}{
+		(*OAuth2_ClientCredentials_)(nil),
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDesc,
+			NumEnums:      1,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_goTypes,
+		DependencyIndexes: file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_depIdxs,
+		EnumInfos:         file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_enumTypes,
+		MessageInfos:      file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_msgTypes,
+	}.Build()
+	File_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto = out.File
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_rawDesc = nil
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_goTypes = nil
+	file_envoy_extensions_injected_credentials_oauth2_v3_oauth2_proto_depIdxs = nil
+}
diff --git a/envoy/extensions/injected_credentials/oauth2/v3/oauth2.pb.validate.go b/envoy/extensions/injected_credentials/oauth2/v3/oauth2.pb.validate.go
new file mode 100755
index 0000000000..760838d17f
--- /dev/null
+++ b/envoy/extensions/injected_credentials/oauth2/v3/oauth2.pb.validate.go
@@ -0,0 +1,387 @@
+// Code generated by protoc-gen-validate. DO NOT EDIT.
+// source: envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto
+
+package oauth2v3
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"net/url"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+	"unicode/utf8"
+
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+// ensure the imports are used
+var (
+	_ = bytes.MinRead
+	_ = errors.New("")
+	_ = fmt.Print
+	_ = utf8.UTFMax
+	_ = (*regexp.Regexp)(nil)
+	_ = (*strings.Reader)(nil)
+	_ = net.IPv4len
+	_ = time.Duration(0)
+	_ = (*url.URL)(nil)
+	_ = (*mail.Address)(nil)
+	_ = anypb.Any{}
+	_ = sort.Sort
+)
+
+// Validate checks the field values on OAuth2 with the rules defined in the
+// proto definition for this message. If any rules are violated, the first
+// error encountered is returned, or nil if there are no violations.
+func (m *OAuth2) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on OAuth2 with the rules defined in the
+// proto definition for this message. If any rules are violated, the result is
+// a list of violation errors wrapped in OAuth2MultiError, or nil if none found.
+func (m *OAuth2) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *OAuth2) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	if m.GetTokenEndpoint() == nil {
+		err := OAuth2ValidationError{
+			field:  "TokenEndpoint",
+			reason: "value is required",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if all {
+		switch v := interface{}(m.GetTokenEndpoint()).(type) {
+		case interface{ ValidateAll() error }:
+			if err := v.ValidateAll(); err != nil {
+				errors = append(errors, OAuth2ValidationError{
+					field:  "TokenEndpoint",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		case interface{ Validate() error }:
+			if err := v.Validate(); err != nil {
+				errors = append(errors, OAuth2ValidationError{
+					field:  "TokenEndpoint",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		}
+	} else if v, ok := interface{}(m.GetTokenEndpoint()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return OAuth2ValidationError{
+				field:  "TokenEndpoint",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	oneofFlowTypePresent := false
+	switch v := m.FlowType.(type) {
+	case *OAuth2_ClientCredentials_:
+		if v == nil {
+			err := OAuth2ValidationError{
+				field:  "FlowType",
+				reason: "oneof value cannot be a typed-nil",
+			}
+			if !all {
+				return err
+			}
+			errors = append(errors, err)
+		}
+		oneofFlowTypePresent = true
+
+		if all {
+			switch v := interface{}(m.GetClientCredentials()).(type) {
+			case interface{ ValidateAll() error }:
+				if err := v.ValidateAll(); err != nil {
+					errors = append(errors, OAuth2ValidationError{
+						field:  "ClientCredentials",
+						reason: "embedded message failed validation",
+						cause:  err,
+					})
+				}
+			case interface{ Validate() error }:
+				if err := v.Validate(); err != nil {
+					errors = append(errors, OAuth2ValidationError{
+						field:  "ClientCredentials",
+						reason: "embedded message failed validation",
+						cause:  err,
+					})
+				}
+			}
+		} else if v, ok := interface{}(m.GetClientCredentials()).(interface{ Validate() error }); ok {
+			if err := v.Validate(); err != nil {
+				return OAuth2ValidationError{
+					field:  "ClientCredentials",
+					reason: "embedded message failed validation",
+					cause:  err,
+				}
+			}
+		}
+
+	default:
+		_ = v // ensures v is used
+	}
+	if !oneofFlowTypePresent {
+		err := OAuth2ValidationError{
+			field:  "FlowType",
+			reason: "value is required",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if len(errors) > 0 {
+		return OAuth2MultiError(errors)
+	}
+
+	return nil
+}
+
+// OAuth2MultiError is an error wrapping multiple validation errors returned by
+// OAuth2.ValidateAll() if the designated constraints aren't met.
+type OAuth2MultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m OAuth2MultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m OAuth2MultiError) AllErrors() []error { return m }
+
+// OAuth2ValidationError is the validation error returned by OAuth2.Validate if
+// the designated constraints aren't met.
+type OAuth2ValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e OAuth2ValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e OAuth2ValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e OAuth2ValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e OAuth2ValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e OAuth2ValidationError) ErrorName() string { return "OAuth2ValidationError" }
+
+// Error satisfies the builtin error interface
+func (e OAuth2ValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sOAuth2.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = OAuth2ValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = OAuth2ValidationError{}
+
+// Validate checks the field values on OAuth2_ClientCredentials with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the first error encountered is returned, or nil if there are no violations.
+func (m *OAuth2_ClientCredentials) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on OAuth2_ClientCredentials with the
+// rules defined in the proto definition for this message. If any rules are
+// violated, the result is a list of violation errors wrapped in
+// OAuth2_ClientCredentialsMultiError, or nil if none found.
+func (m *OAuth2_ClientCredentials) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *OAuth2_ClientCredentials) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	if utf8.RuneCountInString(m.GetClientId()) < 1 {
+		err := OAuth2_ClientCredentialsValidationError{
+			field:  "ClientId",
+			reason: "value length must be at least 1 runes",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if m.GetClientSecret() == nil {
+		err := OAuth2_ClientCredentialsValidationError{
+			field:  "ClientSecret",
+			reason: "value is required",
+		}
+		if !all {
+			return err
+		}
+		errors = append(errors, err)
+	}
+
+	if all {
+		switch v := interface{}(m.GetClientSecret()).(type) {
+		case interface{ ValidateAll() error }:
+			if err := v.ValidateAll(); err != nil {
+				errors = append(errors, OAuth2_ClientCredentialsValidationError{
+					field:  "ClientSecret",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		case interface{ Validate() error }:
+			if err := v.Validate(); err != nil {
+				errors = append(errors, OAuth2_ClientCredentialsValidationError{
+					field:  "ClientSecret",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		}
+	} else if v, ok := interface{}(m.GetClientSecret()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return OAuth2_ClientCredentialsValidationError{
+				field:  "ClientSecret",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	// no validation rules for AuthType
+
+	if len(errors) > 0 {
+		return OAuth2_ClientCredentialsMultiError(errors)
+	}
+
+	return nil
+}
+
+// OAuth2_ClientCredentialsMultiError is an error wrapping multiple validation
+// errors returned by OAuth2_ClientCredentials.ValidateAll() if the designated
+// constraints aren't met.
+type OAuth2_ClientCredentialsMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m OAuth2_ClientCredentialsMultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m OAuth2_ClientCredentialsMultiError) AllErrors() []error { return m }
+
+// OAuth2_ClientCredentialsValidationError is the validation error returned by
+// OAuth2_ClientCredentials.Validate if the designated constraints aren't met.
+type OAuth2_ClientCredentialsValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e OAuth2_ClientCredentialsValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e OAuth2_ClientCredentialsValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e OAuth2_ClientCredentialsValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e OAuth2_ClientCredentialsValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e OAuth2_ClientCredentialsValidationError) ErrorName() string {
+	return "OAuth2_ClientCredentialsValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e OAuth2_ClientCredentialsValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sOAuth2_ClientCredentials.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = OAuth2_ClientCredentialsValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = OAuth2_ClientCredentialsValidationError{}